US11531777B2ActiveUtilityA1

Methods and systems for restricting data access based on properties of at least one of a process and a machine executing the process

49
Assignee: VIRTRU CORPPriority: Jan 30, 2019Filed: Jan 23, 2020Granted: Dec 20, 2022
Est. expiryJan 30, 2039(~12.6 yrs left)· nominal 20-yr term from priority
H04L 63/102H04L 9/083H04L 63/08G06F 21/6218H04L 9/321H04L 63/0428H04L 2463/101
49
PatentIndex Score
0
Cited by
134
References
13
Claims

Abstract

A method of restricting data access based on properties of at least one of a process and a machine executing the process includes receiving, by an access control management system, from a first computing device, information associated with an encrypted data object. The method includes requesting, by the access control management system, from a verifier, verification that a second computing device executes a process in accordance with a process attribute identified in the information associated with the encrypted data object. The method includes sending, by the access control management system, to the second computing device, the received information associated with the encrypted data object, responsive to the verification of the process attribute.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of secure distribution, in a multi-tenant remote computing environment, of data, the method comprising:
 receiving a request for first verification data, from a first client computing device, by a management application on a first of a plurality of multi-tenant computing devices, the management application stored in a protected region of physical memory and executed by a processor in a trusted execution environment in the one of the plurality of multi-tenant computing devices; 
 transmitting, by the management application, to the first client computing device, first verification data including an enumeration of process attributes for a type of multi-tenant computing device in the plurality of multi-tenant computing devices that the management application trusts; 
 receiving, by the management application, from the first client computing device, data and information associated with the data; 
 requesting second verification data, by the management application, from a transactional service executing on a second of the plurality of multi-tenant computing devices, the transactional service stored in an encrypted region of physical memory and executed by a processor in a trusted execution environment in the second of the plurality of multi-tenant computing devices; 
 requesting, by the management application, from a third-party authentication provider, verification of at least one attribute of the transactional service based upon received second verification data; and 
 transmitting, by the management application, to the transactional service, the received data and information associated with the data, responsive to verification by the third-party verification provider of the at least one attribute of the transactional service. 
 
     
     
       2. The method of  claim 1  further comprising transmitting, by the management application to the first client computing device, first verification data including an identification of an attribute of the trusted execution environment on the first of the plurality of multi-tenant computing devices executing the management application. 
     
     
       3. The method of  claim 1  further comprising transmitting, by the management application to the first client computing device, first verification data including an identification of an attribute of the encrypted region of physical memory storing the management application. 
     
     
       4. The method of  claim 1  further comprising receiving, by the management application from the transactional service, verification data including an identification of an attribute of the trusted execution environment on the second of the plurality of multi-tenant computing devices executing the management application. 
     
     
       5. The method of  claim 1  further comprising receiving, by the management application from the transactional service, verification data including an identification of an attribute of the encrypted region of physical memory storing the transactional service on the second of the plurality of multi-tenant computing devices. 
     
     
       6. The method of  claim 1  further comprising:
 requesting third verification data, by the management application, from a second transactional service executing on a third of the plurality of multi-tenant computing devices, the second transactional service stored in an encrypted region of physical memory and executed by a processor in a trusted execution environment in the third of the plurality of multi-tenant computing devices; 
 requesting, by the management application, from a third-party verification provider, verification of at least one attribute of the second transactional service based upon the second verification data; and 
 transmitting, by the management application, to the second transactional service, the received data and information associated with the data, responsive to verification by the third-party verification provider of the at least one attribute of the second transactional service. 
 
     
     
       7. The method of  claim 6  further comprising receiving, by the management application, from the third of the plurality of multi-tenant computing devices, an indication that the second transactional service is available for providing at least one service to at least one client computing device. 
     
     
       8. The method of  claim 7 , wherein requesting third verification data further comprises transmitting the request for the third verification data responsive to receiving the indication of availability of the second transactional service. 
     
     
       9. The method of  claim 1  further comprising:
 receiving, from a second client computing device, by the transactional service, a request for the data, the request including an identifier of an identity provider in a plurality of identifiers; 
 verifying, by the transactional service, that a user of the second client computing device is identified in the received information associated with the data; 
 selecting, by the transactional service, the identity provider from the plurality of identity providers, based on the identifier included in the request for the received information associated with the data; 
 requesting, by the transactional service, from the selected identity provider, authentication of the user of the second client computing device; and 
 sending, by the transactional service, to the second computing device, the data, responsive to the authentication by the selected identity provider of the user of the second client computing device. 
 
     
     
       10. The method of  claim 1  further comprising:
 receiving, from a second client computing device, by the transactional service, a request for the cryptographic data; 
 authenticating, by the transactional service, a user of the second client computing device; and 
 sending, by the transactional service, to the second client computing device, the data, responsive to the authentication. 
 
     
     
       11. The method of  claim 1  further comprising:
 receiving, from the first client computing device, by the transactional service, a request for the data; 
 authenticating, by the transactional service, a user of the first client computing device; and 
 sending, by the transactional service, to the first client computing device, the data, responsive to the authentication. 
 
     
     
       12. The method of  claim 1  further comprising executing, by the transactional service, a key management service. 
     
     
       13. The method of  claim 1  further comprising executing, by the transactional service, an access control management service.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.